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AXA rolls out scanner to prioritise patches 


@ Web-based service will 
scan 15,000 devices daily 
on the insurer’s network 
@ Software patches will 
be prioritised for most 
business-critical systems 
Bill Goodwin ~ 

bill. goodwin@rbi.co.uk 


AXA UK is rolling out a web- 
based service to allow it to make 
daily scans of 15,000 devices on its 
IT network for potentially dan- 
gerous security vulnerabilities. 

The insurance company plans 
to use the service to improve the 
security ofits IT systems by iden- 
tifying and prioritising patches 
for the most business-critical vul- 
nerabilities. 


AXA has predicted that the ser- 
vice, Qualysguard, could pay for 
itself more than five times over if 
it succeeds in preventing just one 
serious virus infection. 

“The justification is reduction 
in risk,” said IT security and con- 
tingency manager Monty Couch. 
“We have calculated in the past 
that losing our network for one 
day would cost £1m, so the system 
could easily make a return on in- 
vestment.” 

The scanning service will al- 
low AXA to prove to regulators, 
who are increasingly conscious of 
the risks to IT systems, that it is 


actively managing potential risk, 
said Couch. 

Until now, AXA relied on pen- 
etration testing organisations car- 
rying out an annual check on its 
systems for vulnerabilities, but 
the company felt it needed to test 
far more frequently to keep pace 
with changes to the network. 

The Qualys system will allow 
AXA to define which parts of its 
IT system are most critical to the 
business, to identify vulnerabili- 
ties and to deal with them quickly, 
said Couch. Other less critical 
parts of network will be scanned 
less frequently. 


Read more articles about securing networks at 


computerweekly.com/technology 
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“I believe this could be the dif- 
ference between a worm getting 
into our network or not. If we can 
get this implemented to the high- 
est degree, it will protect us from 
automated attacks and hacking. It 
will allow us to respond quickly 
and to understand and categorise 
the risk quickly,” he said. 

Couch chose the Qualys tech- 
nology after commissioning an 
evaluation at his former em- 
ployer, Standard Chartered Bank, 
which showed it was effective and 
could be quickly installed. 

“We wanted something that 
gives high value and was low ef- 
fort to install,” he said. 

Couch plans to use the man- 
agement information generated 
by Qualysguard to inform the 
board about network security. 


“The way of getting security on 
the agenda and thus getting bud- 
get for security is when you have 
a proven mechanism for demon- 
strating vulnerability,” he said. 
> Network security special report, p51 


Achievingbuy-in 


One of the main challenges in 
introducing the Qualysguard 
system has been persuading AXA’s 
IT security team to embrace the 
new approach. “People could have 
viewed it as checking up on their 
work, so we have put a lot of effort 
into trying to engage the support 
groups. | think they are now seeing 
the benefits,” said IT security and 
contingency manager Monty Couch. 


